Note: This is an archival copy of Security Sun Alert 201440 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com
as Sun Alert 1001085.1.

The Vi Improved (VIM) package may give unprivileged users the ability to execute arbitrary commands. VIM allows a user to set the modeline differently for each edited text file and allows the addition of "special comments" in those files. These comments can be modified to call external programs.

This vulnerability of the modeline function could allow an unprivileged user who has system access the ability to create a text file such that when it is opened, arbitrary or malicious commands are executed.